Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Input Devices

Cheap Thermal Imagers Can Steal User PINs 101

Bismillah writes: A British infosec company has discovered that cheap thermal imaging attachments for smartphones can be used to work out which keys users press on -- for instance -- ATM PIN pads. The thermal imprint last for a minute or longer. That's especially worrying if your PIN takes the form of letters, as do many users' phone-unlock patterns.
This discussion has been archived. No new comments can be posted.

Cheap Thermal Imagers Can Steal User PINs

Comments Filter:
  • Just wipe the screen or keys and then breathe on it, if you're really worried about this (there's very, very little reason to be, really).

    With modern oleophobic screens you might not even need to wipe it down.

  • Not new news (Score:4, Insightful)

    by 93 Escort Wagon ( 326346 ) on Saturday August 22, 2015 @04:27PM (#50371393)

    I recall seeing a demo of this probably two years ago. It's easily countervened by placing your fingers on all the keys (without pressing, of course) after you've entered your PIN.

    • You don't understand. When you can append "using a cell phone" to any behavior it becomes news all over again.

      I'm pretty sure I saw this in the movie National Treasure over 10 years ago - and I doubt Hollywood invented the idea so it's probably decades old.

    • by AmiMoJo ( 196126 )

      Android has supported randomizing the position of the the numbers on the virtual keypad for years. It's pretty funny watching smug gits who think they can unlock your phone by looking at the smudges on the screen fail.

      ATMs could do the same thing. Samsung door entry keypads also have a feature where they require you to press a couple of randomly selected keys to keep wear even, which could easily be extended.

  • by pushing-robot ( 1037830 ) on Saturday August 22, 2015 @04:33PM (#50371407)

    Use the thermal goggles, Fisher. They should allow you to see the heat signatures on the keypads.

  • by JustAnotherOldGuy ( 4145623 ) on Saturday August 22, 2015 @05:06PM (#50371533) Journal

    This has been possible for quite some time now, and is hardly breaking news. The story is so old that the first time it was posted, Slashdot still came on clay tablets.

  • by Behrooz Amoozad ( 2831361 ) on Saturday August 22, 2015 @06:51PM (#50371857)
    I'm sorry but I see like two dozen people giving idiotic ideas and advising against eachothers workarounds. Put the damn phone in your pocket, it will be so hot your fingers simply won't matter.
  • I haven't used an ATM in decades. I simply buy something at Walmart or Sam's Club and get cash back using my Discover card. It's far easier to find a Walmart than your bank's ATM. It's not uncommon for me to walk in to Walmart and walk out with $60 cash and a bag of Lindt chocolates. I even have a name for it, I call it a "truffle withdrawal".

    • by DamonHD ( 794830 )

      And you think that a retail outlet handles your credentials more securely than a bank/ATM?

      Rgds

      Damon

      • by marciot ( 598356 )

        And you think that a retail outlet handles your credentials more securely than a bank/ATM?

        Rgds

        Damon

        Credit cards are pretty good about not making you pay for fraudulent activities.

        • by DamonHD ( 794830 )

          And you're not paying (heavily) for cash advances on a credit card?

          Rgds

          Damon

      • by cfalcon ( 779563 )

        I do think that, actually.

        I'm not sure of it though. Anyway, here's my reasoning: if I go to a grocery store and punch my PIN in, I'm using a device that a ton of people are using, with witnesses all around pretty much 24/7 (or at least when the store is open- I normally use a 24/7 store). It's not there to begrudgingly service night life and charge some fee, or as an obligation because bankers hours are a joke, it's there to run transaction pretty much full time.

        This makes it a tempting target for an at

        • by DamonHD ( 794830 )

          Banks care all about reputation (nominally) and normal retail cares all about minimising costs.

          Thus data breaches, hacked PIN entry pads, etc, are generally a retail phenomenon.

          Rgds

          Damon

  • by Snotnose ( 212196 ) on Saturday August 22, 2015 @07:54PM (#50372067)
    Enter your pin, then hit 1-0 on the keypad. Problem solved. I've actually been doing that for a couple years now, don't remember why.
  • I only use the center key and type my PIN in Morse code.

  • ... to notice general trends. Over multiple ATM's in my city, I have concluded that the number 5 is the most frequently used digit on a pin pad. Whether that is enough information to make it easier to crack someone's pin is debatable, but I thought it was interesting.
  • This only works if someone has your PIN and a gun, and you don't have a gun. If they don't have a gun and that use this to get your PIN and then they tell you to give you your card, you just shoot them in the neck, make an ironic comment about them not needing your PIN, and go home. If they've got a gun and you haven't, then you're giving them the card and PIN anyway. There's like no scenario when you need to breath on the keys, press extra ones etc.

  • randomize the keyboard layout. i've seen the door keypads at an FBI office which randomize the keypad layout. re-randomizing it after each press could help, too. who says passwords need to be letters and numbers? how about passwords that are a sequence of cat picture?
    • Why not a fingerprint scanner like we have on a variety of smartphones..

      • Because once your fingerprint is compromised you can't change it to something else. Well that's not exactly true but it is much more difficult to change than a simple pass code. The same is pretty much true for all biometric security systems.

  • The video shows someone pressing each of the keys firmly for a second or longer so that the keys have time to heat up. Who the hell enters a PIN like that?

  • My PIN is all ones, but nobody will find out in what order.

  • A "security" company has discovered that a cheap, easily available gun can be used to harm or even kill a user at a distance by projecting a small piece of dense metal into the body. The damage has been shown to last a minute or longer.

    That's especially worrying if you are ever within the line-of-sight of another human being, as so many users are! Click through for our press release and support our pioneering work.

Avoid strange women and temporary variables.

Working...